I have two web applications: web application (web-app) and report web. I want to embedded report web in web-app in a <iframe>
. So it refused by Browser with the error:
X-Frame-Options: DENY
Any help?
The value of X-Frame-options can be DENY (default), SAMEORIGIN, and ALLOW-FROM uri. According to Spring Security documentation you can tell Spring to overwrite the default behaviour adding your custom header that way:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("www.yourhostname.com"))))
...
}
and Spring shall append X-Frame-Options: ALLOW-FROM ... or
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
for X-Frame-Options: SAMEORIGIN or make it completely disable by
http.headers().frameOptions().disable()